How to Capture Packets with Wireshark

“Wireshark is a very powerful and popular network analyzer for Windows, Mac Linux- a tool that is used to inspect data passing through a network interface, be it your Ethernet LAN or even Wireless radio. These series of data are considered Frames, of which include “packets”. Wireshark has the ability to capture all the fishy little packets that are sent and received over your network and decode them for analysis.

When you do anything on the internet, like browse websites, chat or transfer files, the data is converted into packets when it passes your network interface/LAN card. Wireshark will hunt for those packets in the TCP/IP layer (during transmission) and keep whatever it finds. It’s important to keep Wireshark in mind if you’re a network admin who needs to double check that all your customer’s sensitive data is being transmitted securely!

On the other hand, you might want to watch out for those sharks using this tool on open networks or your company’s computers, and steer clear of plaintext protocols like HTTP. Consider using HTTPS Everywhere, or encapsulating your packets in a secure SSH or VPN tunnel — they’re like shark cages for the Internet! After the break, lets boot up Wireshark and see how it works!

Run Wireshark as sudo if you don’t see any interfaces: gksudo wireshark in terminal- sudo for graphical applications. I’ve already installed Wireshark and started the application. Under the “Capture” section, you can choose the device you want to sniff. At the top of the application is a button called “Capture Options” where you can customize your captures. Under the “Interface List” you’ll see one of your devices actually sending and receiving packets. This is your active one. Click Options and customize to your liking, then click start. This will take you to a new pane that’ll show you the packets that are being captured by Wireshark.

To gather some data we’ll fire up our web browser and swim on over to www.sharkweek.com

There are plenty of fishes in this sea, so hit the Stop button in Wireshark and you can start analyzing. Scroll through the long list of packets and find one that looks interesting.

There’s a lot of info here so lets start with the columns. The first column is the packet number, the second is how many seconds it has been since the start of capture, the third column is the source IP address. The fourth column shows you where the packet will be sent- the destination IP address. The fifth column is the protocol that sent the packet (DNS for domain name servers, TCP for transmission control protocol, or HTTP for browsing for example). The last column shows you a little more information about what’s going on during the packet capture.

Since we have a bunch of data collected we’ll want to filter it. Let’s look at just the http requests. To do so enter http.request in the filter bar in the top left and press enter. Once we find an HTTP packet of interest, we can right-click on it and select “Follow TCP Stream” to get the raw contents. Here we can see what I sent in pink, and Discovery’s response in blue.

Did you catch a lot of packets today using Wireshark? Tell me about it in the comments or email me tips@hak5.org with your thoughts. And be sure to check out our sister show, Hak5 for more great stuff just like this. I’ll be there, reminding you to trust your technolust.”